Bug 1432083
Summary: | tomcat_t domain is in unconfined_domain | ||
---|---|---|---|
Product: | Red Hat Enterprise Linux 7 | Reporter: | omokazuki <ka-omo> |
Component: | selinux-policy | Assignee: | Vit Mojzis <vmojzis> |
Status: | CLOSED ERRATA | QA Contact: | Milos Malik <mmalik> |
Severity: | unspecified | Docs Contact: | |
Priority: | unspecified | ||
Version: | 7.3 | CC: | csutherl, dmoppert, jonderka, lvrabec, mbabacek, mgrepl, mmalik, plautrba, pvrabec, ssekidde, zpytela |
Target Milestone: | rc | ||
Target Release: | --- | ||
Hardware: | All | ||
OS: | Linux | ||
Whiteboard: | |||
Fixed In Version: | selinux-policy-3.13.1-145.el7 | Doc Type: | If docs needed, set a value |
Doc Text: | Story Points: | --- | |
Clone Of: | Environment: | ||
Last Closed: | 2017-08-01 15:22:43 UTC | Type: | Bug |
Regression: | --- | Mount Type: | --- |
Documentation: | --- | CRM: | |
Verified Versions: | Category: | --- | |
oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |
Cloudforms Team: | --- | Target Upstream Version: | |
Embargoed: |
Description
omokazuki
2017-03-14 13:41:25 UTC
I expect more AVCs here, could you test tomcat in permissive mode? Thanks. (In reply to Lukas Vrabec from comment #3) > I expect more AVCs here, could you test tomcat in permissive mode? > > Thanks. Hi, I'm not expert of tomcat (I'm just security researcher), so I can't get enough AVCs for working tomcat properly. Sorry... So I guess we have 2 ways to fix; 1. Just remove unconfined_domain(tomcat_t) on tomcat.te or 2. Add below(example) boolean to choose tomcat works on unconfined_domain or not. I know below policy will not work(I couldn't compile it on fedora 25), but I guess we could create this kind of boolean for temporary solution. So what do you think? OMO ------------------------------------------------------------ +####################################### +# +# tomcat local policy +# + +## <desc> +## <p> +## Allow tomcat to run unconfined scripts +## </p> +## </desc> +gen_tunable(tomcat_run_unconfined, true) + +tunable_policy(`tomcat_run_unconfined',` + optional_policy(` + unconfined_domain(tomcat_t) + ') +') Since the problem described in this bug report should be resolved in a recent advisory, it has been closed with a resolution of ERRATA. For information on the advisory, and where to find the updated files, follow the link below. If the solution does not work for you, open a new bug report. https://access.redhat.com/errata/RHBA-2017:1861 |